Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Where to set clinet netmask in ASA, MSAD, split-tunnel, static IP from LDAP environment


I'm having a problem to set the netmask für SVC (anyconnect) clients when using a static IP assignment from MSAD via LDAP.

The schemata within MS AD has no netmask attribute.

We assign a 10.x.x.x address in the MS AD Dial-Up tab.

This results in that the client uses as the corresponding netmask which generates a dynamic route of into the SVC tunnel.

In split-tunnel situation, this is not the desired result.

We need to set the clients netmask to or even

How can this be done?


ldap attribute-map TCCustLDAPAttrMap
  map-name  msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address

aaa-server RADIUS_LDAP2 host
server-port 636
ldap-base-dn dc=rz,dc=tc,dc=corp
ldap-scope subtree
ldap-login-password *
ldap-login-dn CN=S_ASA_Auth2,ou=S_Group,DC=rz,DC=tc,DC=corp
ldap-over-ssl enable
server-type openldap
ldap-attribute-map TCCustLDAPAttrMap

crypto ca certificate map TCCertMap 20
subject-name attr ou eq ou_tc_sslvpn-1

enable outside
default-idle-timeout 3600
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc enable
certificate-group-map TCCertMap 20 OU_TC_SSLVPN-1

group-policy OU_TC_SSLVPN-1-GrpPol internal
group-policy OU_TC_SSLVPN-1-GrpPol attributes
vpn-simultaneous-logins 500
vpn-idle-timeout none
vpn-filter value CustSslVpnAcl1
vpn-tunnel-protocol svc
ip-comp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ssl-vpn-acl
user-authentication-idle-timeout none
  svc keepalive 60
  svc rekey method ssl
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc ask none default svc
  customization value DfltCustomization

tunnel-group OU_TC_SSLVPN-1 type remote-access
tunnel-group OU_TC_SSLVPN-1 general-attributes
authorization-server-group RADIUS_LDAP2
default-group-policy OU_TC_SSLVPN-1-GrpPol
authorization-dn-attributes CN
tunnel-group OU_TC_SSLVPN-1 webvpn-attributes
authentication certificate
tunnel-group-map enable rules

New Member

Re: Where to set clinet netmask in ASA, MSAD, split-tunnel, stat

I've had this problem with the subnet mask assigning like you do, but found this thread and especialy this post

and it worked for me

hope this helps you too

cheers michael

Re: Where to set clinet netmask in ASA, MSAD, split-tunnel, stat

Thanx a lot Michael.

Now I use

ldap attribute-map TCCustLDAPAttrMap
  map-name  msRADIUSCallbackNumber IETF-Radius-Framed-IP-Netmask
  map-value msRADIUSCallbackNumber 23 4294966784
  map-value msRADIUSCallbackNumber 32 4294967295

So I use the Callback Field on the dial-in Tab on the User Properties to enter the bit lengt of the mask and mapp it to IETF-Radius-Framed-IP-Netmask.

Seems to work fine.

Again, thanks for the answer.

regards, chris

New Member

Re: Where to set clinet netmask in ASA, MSAD, split-tunnel, stat

Happy to here that it worked for you too.

Please rate the original post from
fdouble08 and halijenn

cheers Michael

CreatePlease to create content